03.04.20

Gemini version available ♊︎

Techrights Urges Readers to Ask the Linux Foundation’s Let’s Encrypt (Backed by Companies That Give the NSA Back Doors) Some Hard But Legitimate Questions

Posted in GNU/Linux, Security at 3:43 am by Dr. Roy Schestowitz

Logo of Let's Encrypt

Summary: It’s not impossible that the bug in Let’s Encrypt was introduced by a rogue insider, if not someone further up above; Let’s Encrypt must address critical questions or be widely seen as a compromised, untrustworthy CA

JUST like the Linux Foundation, Let’s Encrypt is using Microsoft GitHub for their site and for their code. So much for security, eh? It’s owned by Microsoft, possibly the NSA’s closest partner. But putting that aside, today’s certificates avalanche led us to discovering that the Foundation's executive who came there from James Clapper's office has left the Foundation (she vanished from the management's page). It’s likely just a coincidence, but bringing that up isn’t crazy. We wrote about half a dozen articles already about how the Linux Foundation works for ‘surveillance capitalism’ and the ‘security state’. It’s a matter of public record and it’s easily provable using basic open source intelligence (OSINT).

At work last night, I actually had to step in for clients and urgently change certificates (to avert downtime of critical services). The fiasco is starting to show up in more of the media (but not much of it so far).

We have some facts. For instance, it is clear that somebody changed the code and we don’t know when exactly. This article explains that “Let’s Encrypt explained on Tuesday [less than a day early] it had to revoke the 3 million certificates because of a CAA bug that impacted the way its software checked domain ownership before issuing certificates.”

Here’s what they told the writer: “Josh Aas, executive director of Let’s Encrypt, said in a statement to Threatpost, “A bug was introduced in our code during a feature flag update. Under certain conditions, this bug caused us to skip a check that we are required to perform before issuing a certificate. We determined that the bug affected about 3 million, or about 2.6 percent, of our active certificates. Unfortunately, we need to revoke these certificates, which we will be doing within the compliance timeline set forth by the Baseline Requirements.””

According to this, “Let’s Encrypt will be revoking 3,048,289 currently-valid certificates” (notice how they’re contradicting themselves with the numbers).

“As part of the rules for this feature,” it adds, “authorities must check CAA records at most 8 hours before a certificate is issued.”

Also: “With only 24 hours to renew their certificates, many users are scrambling to get them done and some are running into issues.”

Yes, I should know. This caused much alarm where I work. It’s a fiasco.

We urge readers to ask Let’s Encrypt the following questions (maybe more, maybe less)

  • When did you find out about this bug?
  • Why was it not there before?
  • Which worker is responsible for this bug?
  • When was this worker hired?
  • Is this worker still working for you?
  • Why were the certificates all revoked so fast?
  • Why was this barely announced to the public? Should the Foundation not shout from the rooftops to avert disasters (as opposed to saving face)?
  • Were particular parties/stakeholders informed well in advance?
  • Were government entities informed in advance (in the name of “national security”) and, if so, how long in advance?

The E-mail address to reach them on: security@letsencrypt.org

Alternative/additional E-mail: press@letsencrypt.org

Please share their answers, if any, with us.

If they fail to even respond to these questions, that will not inspire confidence, will it?

Remember Gemalto?

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. Gemini Space/Protocol: Taking IRC Logs to the Next Level

    Tonight we begin the migration to GemText for our daily IRC logs, having already made them available over gemini://



  2. Links 6/12/2021: Gnuastro 0.16 and Linux 5.16 RC4

    Links for the day



  3. Links 5/12/2021: Touchpad Gestures in XWayland

    Links for the day



  4. Society Needs to Take Back Computing, Data, and Networks

    Why GemText needs to become 'the new HTML' (but remain very simple) in order for cyberspace to be taken away from state-connected and military-funded corporations that spy on people and abuse society at large



  5. [Meme] Meanwhile in Austria...

    With lobbyists-led leadership one might be led to believe that a treaty strictly requiring ratification by the UK is somehow feasible (even if technically and legally it's moot already)



  6. The EPO's Web Site is a Parade of Endless Lies and Celebration of Gross Violations of the Law

    The EPO's noise site (formerly it had a "news" section, but it has not been honest for about a decade) is a torrent of lies, cover-up, and promotion of crimes; maybe the lies are obvious for everybody to see (at least EPO insiders), but nevertheless a rebuttal seems necessary



  7. The Letter EPO Management Does Not Want Applicants to See (or Respond to)

    A letter from the Munich Staff Committee at the EPO highlights the worrying extent of neglect of patent quality under Benoît Battistelli and António Campinos; the management of the EPO did not even bother replying to that letter (instead it was busy outsourcing the EPO to Microsoft)



  8. IRC Proceedings: Saturday, December 04, 2021

    IRC logs for Saturday, December 04, 2021



  9. EPO-Bribed IAM 'Media' Has Praised Quality, Which Even EPO Staff (Examiners) Does Not Praise

    It's easy to see something is terribly wrong when the people who do the actual work do not agree with the media's praise of their work (a praise motivated by a nefarious, alternate agenda)



  10. Tux Machines is 17.5 Years Old Today

    Tux Machines -- our 'sister site' for GNU/Linux news -- started in 2004. We're soon entering 2022.



  11. Approaching 100

    We'll soon have 100 files in Git; if that matters at all...



  12. Improving Gemini by Posting IRC Logs (and Scrollback) as GemText

    Our adoption of Gemini and of GemText increases; with nearly 100,000 page requests in the first 3 days of Decembe (over gemini://) it’s clear that the growing potential of the protocol is realised, hence the rapid growth too; Gemini is great for self-hosting, which is in turn essential when publishing suppressed and controversial information (subject to censorship through blackmail and other ‘creative’ means)



  13. Links 4/12/2021: IPFire 2.27 Core Update 162 and Genode OS Framework 21.11

    Links for the day



  14. Links 4/12/2021: Gedit Plans and More

    Links for the day



  15. Links 4/12/2021: Turnip Becomes Vulkan 1.1 Conformant

    Links for the day



  16. IRC Proceedings: Friday, December 03, 2021

    IRC logs for Friday, December 03, 2021



  17. Links 4/12/2021: EndeavourOS Atlantis, Krita 5.0.0 Beta 5, Istio 1.11.5, and Wine 6.23; International Day Against DRM (IDAD) on December 10th

    Links for the day



  18. Another Gemini Milestone: 1,500 Active Capsules

    This page from Balázs Botond plots a graph, based on these statistics that now (as of minutes ago) say: “We successfully connected recently to 1500 of them.” Less than a fortnight ago more than 1,800 capsules overall were registered by Lupa, almost quadrupling in a single year



  19. [Meme] António Campinos and Socialist Posturing

    Staff of the EPO isn’t as gullible as António Campinos needs it to be



  20. António Campinos as EPO President is Considered Worse Than Benoît Battistelli (in Some Regards) After 3.5 Years in Europe's Second-Largest Institution

    The EPO's demise at the hands of people who don't understand patents and don't care what the EPO exists for is a real crisis which European media is unwilling to even speak about; today we share some internal publications and comment on them



  21. Media Coverage for Sale

    Today we're highlighting a couple of new examples (there are many other examples which can be found any day of the year) demonstrating that the World Wide Web is like a corporate spamfarm in "news" clothing



  22. Links 3/12/2021: GNU Poke 1.4 and KDDockWidgets 1.5.0

    Links for the day



  23. IRC Proceedings: Thursday, December 02, 2021

    IRC logs for Thursday, December 02, 2021



  24. Links 3/12/2021: Nitrux 1.7.1 and Xen 4.16 Released

    Links for the day



  25. Links 2/12/2021: OpenSUSE Leap 15.4 Alpha, Qt Creator 6

    Links for the day



  26. The EPO's “Gender Awareness Report”

    There’s a new document with remarks by the EPO’s staff representatives and it concerns opportunities for women at the EPO — a longstanding issue



  27. IRC Proceedings: Wednesday, December 01, 2021

    IRC logs for Wednesday, December 01, 2021



  28. EPO Staff Committee Compares the Tactics of António Campinos to Benoît Battistelli's

    The Central Staff Committee (CSC) of the EPO talks about EPO President António Campinos, arguing that “he seems to subscribe to the Manichean view, introduced by Mr Battistelli…”



  29. Prof. Thomas Jaeger in GRUR: Unified Patent Court (UPC) “Incompatible With EU Law“

    The truth remains unquestionable and the law remains unchanged; Team UPC is living in another universe, unable to accept that what it is scheming will inevitably face high-level legal challenges (shall that become necessary) and it will lose because the facts are all still the same



  30. Links 1/12/2021: LibrePlanet CFS Extended to December 15th and DB Comparer for PostgreSQL Reaches 5.0

    Links for the day


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts